Crowdsec: No ban occurs for Nextcloud

[stephdl]

With Crowdsec we enable a jail to protect nextcloud against the brute force, however this jail is not working properly and this issue attempts to fix it

Steps to reproduce

• Install crowdsec ad enable the ban on the lan
• install nextcloud on the same node and configure it
• do bad login several times
• you are never banned

Expected behavior

I expect that after 6 attempts you are banned during a period of time

Actual behavior

We are never ban for two reasons, the issue is in nextcloud-logs.yaml

• The parser expects an output in json, but we do not have json output in journald
• the message name in journald is nextcloud-app and not nextcloud

Badly crowdsec does not support the overwrite of configuration file with a .local like crowdsec

Components

crowdsec:1.0.9

[stephdl]

QA

the goal is :

• verify the nextcloud jail is enabled and workable
• verify the crowdsec version 1.6.3 (which is an update) is workable

the target module ghcr.io/nethserver/crowdsec:1.0.10-dev.2
Test it on a digital ocean, we do not want to restart crowdsec once installed by setting new settings like Allow to ban on the LAN

• upgrade (open two terminals with one to output journalctl -f)
  Install nextcloud and configure it, you must be able to login
  install crowdsec
  nothing to configure on crowdsec
  upgrade to ghcr.io/nethserver/crowdsec:1.0.10-dev.2
  nothing to configure on crowdsec
  once upgraded, no action of your side on crowdsec, test bad login after nextcloud, you must see a decision added against you and you will be banned)

• first install (open two terminals with one to output journalctl -f)
  Install nextcloud and configure it, you must be able to login
  install ghcr.io/nethserver/crowdsec:1.0.10-dev.2
  nothing to configure on crowdsec
  once installed, no action of your side on crowdsec, test bad login after nextcloud, you must see a decision added against you and you will be banned)

[nrauso]

test case 1: VERIFIED
test case 2: VERIFIED

In both cases, CrowdSec banned the source IP due to an excessive number of attempts:

Oct 04 09:14:59 cloud.test.org crowdsec1[18523]: time="2024-10-04T09:14:59Z" level=info msg="Ip 99.88.77.66 performed 'crowdsecurity/nextcloud-bf' (6 events over 25.250013709s) at 2024-10-04 09:14:59.230228182 +0000 UTC"
Oct 04 09:15:00 cloud.test.org crowdsec1[18523]: time="2024-10-04T09:15:00Z" level=info msg="(localhost/crowdsec) crowdsecurity/nextcloud-bf by ip 99.88.77.66 (IT/3269) : 4m ban on Ip 99.88.77.66"

[stephdl]

released ghcr.io/nethserver/crowdsec:1.0.10